With Wordfence, how do I modify my htaccess file correctly?

Hi @mikeharrison, thanks for reaching out to us.

There are a number of occasions in our help documentation where changes to .htaccess are required for certain operations so you should be able to add your changes without issue. If the file changes are flagged as part of a scan, you will be prompted and can choose to ignore them as you’re aware of the origin of those changes.

Wordfence doesn’t offer an inbuilt option to hide wp-admin or wp-login.php. With certain “security through obscurity” methods, this would only serve to slightly slow down somebody with malicious intent rather than stop them.

Our thoughts on the wp-login URL is discussed in this video which is provided for your information: https://www.wordfence.com/blog/2017/10/should-you-hide-wordpress-login-page/

Using strong account passwords and two-factor authentication, along with always keeping your WordPress and plugin versions up-to-date should offer the best level of security. Wordfence cannot stop somebody from trying to access your site, but deal with those attempts properly when they occur.

Thanks,

Peter.

Thanks, Peter.

Great info. I watched the video.

My site’s Admin account is the only user account, and my username and password are both uncommon and long (18+ characters). The site is configured to allow automatic updates of my theme and plugins (which are few), and I log in every morning to check the site’s status. So I’m very security-conscious.

The code I’d like to add to my htaccess file is that which will block referral spam; code that was successfully used prior to my beginning use of Wordfence.

My concern is whether I can upload the modified htaccess file (leaving Wordfence content untouched) via ftp without Wordfence seeing it as a threat and locking me out.

There doesn’t seem to be a means of searching Wordfence help for this concern. Are you able to provide a link?

Many thanks.

Mike

• This reply was modified 3 years, 9 months ago by MikeHarrison.

Hi @mikeharrison,

We don’t specifically cover your circumstances, but a case where we instruct users to modify their .htaccess would be something like our instructions for bypassing Litespeed’s NOABORT check: https://www.wordfence.com/help/advanced/system-requirements/litespeed/#if-litespeed-aborts-wordfence-scans-and-updates

Naturally don’t insert the information on that page unless it applies to your configuration, but your idea of downloading the live .htaccess, modifying it externally then re-uploading it is the correct procedure – as is modifying it “live” using your hosting’s web-based file manager. You shouldn’t be locked out by doing this as you’ve modified it in an administrative capacity rather than by attempting a front-end upload or other paths an attacker may try.

I always recommend keeping a copy of your original file in case you need to revert back, but Wordfence should at worst prompt you that the contents have been changed, which can be ignored in your case.

Let me know if you have any issues, but as long as the code you insert is well-formed I don’t expect there to be any.

Thanks,

Peter.

Oh, yes: I ALWAYS make backups before making modifications.

Thanks for confirming that my modification method should go without incident, and for your speedy replies. It’s much appreciated!

Mike